Azure Backup stands firm on the promise of simplicity, security, and reliability by giving customers a smooth and dependable experience across scenarios. Continuing on the enterprise data-protection promise, today, we are excited to announce the support for backup and restore of Azure virtual machines encrypted using Bitlocker Encryption Key(BEK) for managed or unmanaged disks. This announcement augments the existing capability to backup VMs encrypted using Bitlocker Encryption Key(BEK) and Key Encryption Key(KEK). This support is available using Portal and PowerShell.

Key benefits

With this release, Azure Backup provides:

Backup of VMs encrypted using BEK-only as well as BEK and KEK both: Azure Backup now supports backup of VMs encrypted using BEK along with the already supported scenario of BEK and KEK both. The BEK(secrets) and KEK(keys) backed up are encrypted so they can be read and used only when restored back to key vault by the authorized users.

Backup of both managed and unmanaged disks in encrypted VMs: Application-consistent backup for both managed and unmanaged disks is supported now which gives user the freedom to create any kind of encrypted VM and then back it up using Azure Backup.

Value proposition

This feature provides:

Simplified experience: With this release, the backup process seamlessly acquires access to the key vault without requiring user intervention leading to a smooth and simplified experience.

Enhanced security: Since the BEK is also backed up, in scenarios where BEK is lost, authorized users can restore the BEK to the KeyVault and recover the encrypted VM. Since the keys and secrets of encrypted VMs are backed up in encrypted form, neither unauthorized users nor Azure can read or use these backed up keys and secrets. Only users with the right level of permissions can backup and restore encrypted VMs, as well as keys and secrets.